APWG, founded in 2003, is a not-for-profit group dedicated to sharing information to fight cybercrime. It acts as a clearinghouse for cybercrime event data, distributing millions of reports on phishing sites and other indicators of compromise to help organizations defend themselves. Its members include Microsoft, PayPal, McAfee, RSA and many financial institutions.

Convincing organizations to share data with APWG has not always been easy, Cain says. But the idea is that more sharing enhances the capabilities of organizations to build better defenses against criminal activity.

But GDPR has cause a fair amount of consternation, with good reason: Data protection authorities can leverage large fines against organizations that are found to have violated its tenets. There's also a certain amount of ambiguity over exactly what regulators think is OK regarding data sharing (see Europe's Strong GDPR Privacy Rules Go Into Full Effect).

APWG and Cain have sought to gain clarity in order to continue to expand threat intelligence sharing, and as Cain puts it, "cause the attorneys to calm down." He notes: "GDPR could be good for data sharing, mostly because it's going to force the techies to sit down and say 'Here's what really we're doing' and we'll get the lawyers comfortable with it, and they may be more willing to share."

Collective Defense

APWG has a tightly vetted model for accepting and sharing data. Those who are receiving data must sign a two-page data-sharing agreement, or DSA, that sets the expectations for how the information can be used, Cain says.

Organizations often have informal arrangements to exchange threat intelligence, such as a secret Google group. That relies on each party trusting the other not to do anything potentially harmful, such as publishing or selling the data, Cain says.

The DSAs ensure that parties sharing information will not publicly identified. And they've have been successful in putting lawyers at ease, Cain contends.

"Some of the bigger companies are getting more comfortable with it [threat intelligence sharing] as they see the benefits of it," he says.

There's value in a collective defense: The more data, the better.

"The bad guys don't go after one bank," Cain says. "They go after 20 at a time. They don't go after one car manufacturer; they go after all the car manufacturers. It's impossible to have your fingers in the entire internet looking for stuff. So you have to rely on other people."

APWG's DSAs are already a perfect fit with GDPR. Under the regulation, two organizations sharing data are supposed to have binding corporate rules for sharing and handling that information. But there are other unknowns with GDPR.

Code Of Conduct

APWG has been exploring for the past 18 months how GDPR would impact its operations, Cain says. The regulation runs 130 pages, and Cain has taken a lead role in determining how to ensure APWG complies.

Europe didn't issue a guide for how to comply with the regulation, and there are no court precedents, which has left granular questions. "There's been lots of guessing over what the right things to do are," Cain says.

APWG works closely with many treaty organizations and European governments, so it has been asking questions and getting solid feedback on how to be compliant. In late May, APWG held a data symposium in Barcelona, one in a series of three events that focuses on data sharing to work through concerns and barriers.

APWG has also been drafting a code of conduct, another recommendation within GDPR. That is under evaluation, and eventually APWG will send it to data protection authorities in Europe to test it for "adequacy," which means it complies with GDPR's tenets.

If APWG's code of conduct is deemed adequate, the organization can take it to companies and assure them they're in good shape with regulators if they follow the code, Cain says.

A point of concern for APWG is its collection of malicious IPs. Under GDPR, IP addresses can be considered personal data if one can be linked back to a person.

"We think that we could make a case that it's not personal data because we have no idea who the individual behind it is," Cain says. "But a lot of the lawyers in the members community were like: 'Oh my god. It's got IP addresses.'"

GDPR also includes a provision providing a private right of action, Cain says. That means an individual could sue a company, in addition to a data protection authority, which means organizations need to tread carefully. In the end, Cain feels confident that APWG will marshal the support for its efforts.

"We're helping crime fighting," Cain says. "It's not in any government's best interests to dissuade us from doing crime fighting."

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.